Someone’s Been Using Stingray Devices to Spy on Smartphones Near the White House

It appears someone has been spying on smartphones near the White House. While it remains unclear who was behind this surveillance campaign, a federal study has found signs of surveillance devices known as IMSI catchers or Stingray (by the brand name) in other sensitive locations in Washington, as well.

The details were made public earlier today when Senator Ron Wyden (D-OR) shared a letter (PDF) he received from the US Department of Homeland Security in May mentioning these surveillance devices that are used to spy on phone calls and text messages.

“An IMSI is a unique identification number used to recognize a mobile device on any cellular network, and IMSI catcher technology can be used to monitor and track cellular communications and devices as they communicate with networks,” the letter to Wyden sent by Christopher Krebs, Senior Official Performing the Duties of the Under Secretary, explains.

IMSI catchers in abundance around the White House

The letter to the Senator reveals that DHS National Protection and Programs Directorate (NPPD) conducted a pilot project deploying sensors in National Capitol Region (NCR) to identify IMSI catcher activity. According to this letter, NPPD has observed “anomalous activity” around potentially sensitive locations like the White House, however, the agency hasn’t “validated nor attributed” this activity to any specific entity.

“The news of a possible foreign stingray near the White House is of particular concern giving reports that the president isn’t even using a secure phone to protect his calls,” Wyden said in a statement. “The cavalier attitude toward our national security appears to be coming from the top down.”

Wyden released this letter to push the government, specifically the Federal Communications Commission, the country’s communications watchdog, to further investigate the matter. Popularly known as Stingray, these surveillance devices are used to snoop on targets. They can not only record calls and text messages but can also deliver malware to steal information.

While DHS may be worried about finding Stingrays near the White House, as the agency itself noted IMSI catchers are used in “lawful” scenarios, as well, by both the local and federal police – not to forget the foreign spy agencies. Activists have often warned that the authorities inside the country use IMSI catchers with little to no oversight, catching and collecting calls and other data from innocent people in the area during their surveillance operations on legitimate targets.

Signaling System Seven (SS7) flaws are being exploited to spy on anyone from anywhere

The letter separately mentions the publicly known SS7 flaws that have been demonstrated to various lawmakers in the past too. As seen in multiple previous reports, the decades-old protocol (developed in the 1970s!) can be easily exploited by a resourceful or sophisticated adversary, government-owned carriers, or someone having the right contacts in the dark web. This access can be used to steal data, snoop on targets, and take over online identities by receiving victim’s text messages thereby bypassing SMS-based two-factor authentication process.

While the flaws in the protocol have been known for years now, some critics suggest governments aren’t pushing for a reform because until now these flaws were largely exploited by the governments themselves in targeted surveillance programs. However, a report earlier this week revealed that criminals are exploiting SS7 flaws to scoop up data on over millions of mobile subscribers.

The DHS letter said the agency had received reports that “nefarious actors” (means, not the US government…) may have exploited SS7 vulnerabilities to spy on American citizens. Unlike IMSI catchers that need to be placed in close proximity to the target device, SS7 vulnerabilities can be exploited to intercept calls, text messages and location information from anywhere in the world.

Users can always opt for end to end encrypted messaging services to stay safe from these attacks. However, as previously reported SS7 exploits can be used to take over online accounts if they are being protected through SMS-based 2FA.

“We continue to monitor reports of the use of IMSI devices and to coordinate closely with our counterparts at DHS, DOJ, and the FBI,” the US communication watchdog said in its statement to the Washington Post. “The FCC strenuously enforces its rules against the unauthorized use of licensed radio spectrum and harmful interference with licensed users of the airwaves.”

“I don’t think most Americans realize how insecure US telephone networks are,” Wyden said in his statement.

“If more consumers knew how easy it is for bad guys to track or hack their mobile phones, they would demand the FCC and wireless companies do something about it. These aren’t just hypotheticals.”